Firewall Wizards mailing list archives
RE: Managed Security Metrics
From: "Crumrine, Gary L" <CrumrineGL () state gov>
Date: Wed, 7 Mar 2001 06:09:39 -0500
I think one of the biggest things a potential customer has to do is be realistic in their expectations. Consider what the underlying reason is that is leading them to outsource. Some of the reasons that make sense are not possessing the required staff, unable to afford the up front costs to do it yourself etc. A good rule of thumb I would suggest is to not expect much more from a provider than what you are willing or able to do yourself. Now there is going to be a higher expectation of competency surely, but think about it. For you to build in full redundancy, 24x7 monitoring, 0 downtime, CERT reaction teams etc... it all represents a large investment for anyone to fully implement. Whether that be the customer, or the outsourced provider. You can't expect to get full house capability on a beer budget... neither can you expect the same requirements from the outsource provider if you are not willing or able to pay for the added services. Do I think it reasonable to expect them to maintain their equipment, patches etc... certainly. Do I expect a reasonable response time in solving problems... sure. But customers must also realize they are not the only customers that the provider has to support. That is why most providers will package their offerings at different levels of service with various price points to match. It is all about providing reasonable and affordable service levels at prices that match your enterprise needs. You want direct access to support, it will cost you... If you can afford to wait in the queue, then step your support level down a notch or two. Lastly, I have seen people suggest that they expect to never be breached/hacked whatever. Think about that... there is no system without vulnerabilities that cannot be exploited over time. The most you can realistically expect is that the provider act in a professional manner, maintain their equipment/software and is capable to reacting to crisis situations in a reasonable amount of time. Exactly what you would expect from your staff if you kept the service in house.
-----Original Message----- From: Adam Shostack [SMTP:adam () homeport org] Sent: Monday, March 05, 2001 6:01 PM To: Mike Smith Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Managed Security Metrics I think that theres a lot of process issues which are not easily quantified. For example, I want to know that an account will be shut off within 5 minutes of a lost token report, but more than that I want them to go through a list of accounts quarterly to ensure that there is a known, employed user using the account. I'd like to see log monitoring, a guaranteed response time to certain classes of events eg, any user not on a shortlist becoming root leads to a phone call that connects with my escalation tree inside of 15 minutes. Perhaps you can make the question more specific: What are you trying to protect? What is the service selling you? Is it "firewall and in, end-to-end security?" Is it firewall log monitoring? Adam On Mon, Mar 05, 2001 at 01:37:10PM -0500, Mike Smith wrote: | So I'm back to asking, what are suitable, measurable criteria for judging | the quality of my security service provider's performance? | | Mike Smith -- "It is seldom that liberty of any kind is lost all at once." -Hume _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- IP Spoofing and counter measures, (continued)
- IP Spoofing and counter measures Tib (Mar 09)
- Re: IP Spoofing and counter measures Ryan Russell (Mar 11)
- RE: Managed Security Metrics Bob . Eichler (Mar 05)
- RE: Managed Security Metrics Mike Smith (Mar 05)
- Re: Managed Security Metrics Adam Shostack (Mar 06)
- RE: Managed Security Metrics R. DuFresne (Mar 06)
- Re: Managed Security Metrics shawn . moyer (Mar 06)
- RE: Managed Security Metrics Mike Smith (Mar 06)
- Re: Managed Security Metrics Adam Shostack (Mar 09)
- RE: Managed Security Metrics R. DuFresne (Mar 09)
- RE: Managed Security Metrics Crumrine, Gary L (Mar 07)
- Re: Managed Security Metrics Jack McCarthy (Mar 07)
- IP Spoofing and counter measures Tib (Mar 09)